Chapter 5: Django Admin – Update Members

Django Admin – Update Members: How to update / edit / modify existing members (staff users) in the Django admin.

Most people learn how to create users, but then get stuck when they need to:

• Change someone’s password
• Add/remove them from groups
• Revoke permissions
• Make someone inactive
• Promote someone to superuser (rare, but happens)
• Fix a typo in email or username
• See login history / last login

We’re going to walk through every realistic update scenario step by step — slowly, like I’m guiding your mouse and keyboard.

Step 1 – Login as Superuser (Only Superuser Can Edit Users)

Go to http://127.0.0.1:8000/admin/

Login with your superuser account (the one from createsuperuser).

Important: Normal staff users cannot edit other users unless you explicitly give them the auth | user | Can change user permission — which is dangerous and almost never done.

Step 2 – Find the User You Want to Update

In admin dashboard:

1. Under Authentication and Authorization → click Users

2. You see the list of all users

   • Username
   • Email
   • First/last name
   • Staff status
   • Active status
   • Superuser status
   • Date joined
   • Last login

3. Click the username of the person you want to edit (example: editor-rani)

→ You land on the change user page

Step 3 – The Change User Page – What You Can Update

This page has several sections — let’s go through each one:

1. Personal info

• Username → change if typo (careful — many systems use username as identifier)
• Password → click this link: “Change password” → set new one
• First name / Last name → optional but nice for display
• Email address → very useful for password reset / notifications

2. Permissions

Three checkboxes — very powerful, be careful:

• Active → Uncheck = user cannot login anywhere (most common way to “disable” someone) → Check = user can login
• Staff status → Check = user can access /admin/ at all → Uncheck = even if in groups, no admin access
• Superuser status → Check = full god-mode access (everything, bypasses all permissions) → Almost never give this except to 1–2 trusted developers

3. Important: Groups (Recommended Way to Manage Permissions)

• Available groups → all groups you created
• Chosen groups → groups this user currently belongs to

Examples:

• Want to promote editor-rani to also view users → add Support Team group
• Want to remove all access → remove from all groups + uncheck Staff status
• Want to give read-only polls → add Poll Viewers group

Click the arrows to move groups → Save

4. User permissions (Advanced – Usually Avoid)

Below groups you see specific permissions list.

Best practice: Leave this section empty — manage everything via groups. Assigning individual permissions to users creates chaos when team grows.

Only use this section if:

• One specific user needs one very special permission
• You have no groups yet (temporary)

5. Important dates (Read-only)

• Date joined
• Last login
• Useful for auditing: “When did Priya last login?”

Step 4 – Real-Life Update Examples (Do These Now)

Example 1: Disable / Deactivate a user

Scenario: Employee left the team

1. Go to Users → click editor-rani
2. Uncheck Active
3. Save

→ User can no longer login (anywhere — admin or frontend if you use auth)

Example 2: Change password for someone who forgot

1. Click user
2. Click Change password link (under password field)
3. Enter new password twice
4. Save

→ User gets new password (you can email it securely)

Example 3: Promote editor to also handle support tickets

1. Click user
2. In Groups → add Support Team to Chosen groups
3. Save

→ Now has both Poll Editors + Support Team permissions

Example 4: Revoke admin access but keep account active

1. Click user
2. Uncheck Staff status
3. Save

→ Can no longer access /admin/, but if they have frontend login → still works

Example 5: Make someone superuser (rare – be very careful)

1. Check Superuser status
2. Save

→ Now has full access — use only for trusted people

Step 5 – Quick Security Checklist (Real Project 2026)

• Never share superuser credentials
• Use groups for 95%+ of permission management
• Regularly review Users → filter is_staff=True → check who has access
• Set is_active=False when someone leaves (don’t delete — audit trail)
• Enable password reset email (requires email backend in settings)
• In production: force HTTPS, 2FA (django-two-factor-auth), strong password validators

Your Quick Task Right Now (Do It – It Will Stick)

1. Go to Users list
2. Pick one of your test users (e.g. editor-rani)
3. Change something:
   • Add/remove a group
   • Toggle Active / Staff status
   • Change email or add first/last name
4. Save
5. Open incognito → login as that user → see what changed
6. As superuser → change back if needed

Tell me what feels next:

• “Done! Now show me how to reset forgotten passwords via admin/email”
• “How to add custom fields to User model (phone, profile photo)?”
• “I want object-level permissions (user can edit only their own questions)”
• “Got error when changing permissions – here’s message”
• Or finally ready for: “Let’s build the voting system – form + POST + F() + results page”

You now know exactly how to update members in Django admin — this is what real teams do every week.

You’re doing really well — let’s keep this momentum! 🚀🇮🇳